The present invention relates to a technique of assuring validity of an original, utilizing digital signature.
Recently, digital signature becomes more important as electronic commerce or the like becomes widespread. General structure of digital signature is as follows.
Namely, a signer generates a digital signature A by applying his secret key to a message digest (for example, a hash value) of a message M. Then, he sends the message M together with the digital signature A to a counterpart. On the other hand, a verifier compares a result of applying a signer's public key to the digital signature A with the message digest obtained from the message M, and examines whether both coincide, to verify the signature. When both coincide, it is assured that the digital signature A is the signature generated by the signer to the message M.
Here, it is necessary that a secret key used for a signature has not to be used illegally by a third party. It is considered that the secret key is illegally acquired not only by leakage owing to defective management but also by calculation from a public key. Although the calculation from the public key is difficult from a viewpoint of calculation volume at present, it may become possible in the future, owing to enhancement in computer performance or improvement in calculation algorithm. Once the secret key is acquired illegally, an illegitimate third party can rewrite a message M and generate a digital signature A to the message M. In that case, generation of the digital signature by an illegal third party who rewrites the message M can not be detected by the above-described method of using the public key to verify the digital signature A.
Accordingly, as a countermeasure against such a threat, a technique of Japanese Unexamined Patent Application Laid-Open No. 2001-331104 is proposed. In that technique, a secret key is applied to a hash value of a message as an object of assurance and a hash value of a digital signature to a message received just prior to the message as the object of assurance, in order to generate a digital signature to the message as the object of assurance. Hereinafter, such a digital signature is referred to as a chain signature. Then, this chain signature is added to a log list. Further, an arbitrary chain signature in the log list is made open by a reliable agency periodically.
Further, at the time of verification, the chain signature as an object of verification is verified by using a public key. And, concerning from the chain signatures registered in the log list after the chain signature as the object of the verification to the a chain signature made open by the reliable agency, a connection between each chain signature and a preceding or a following chain signature is verified. Here, a tampering of the chain signature made open by the reliable agency can be easily detected by comparing the chain signature with its contents made open. Thus, non-tampering of the chain signature as the object of the verification can be confirmed, when the verification of the chain signature in question using the public key is completed, the verification of the connection between the above-mentioned each chain signature and the preceding signature or the following chain signature is completed, and non-tampering of the opened chain signature is confirmed.